qa-only
Conducts thorough QA testing on web applications, generating detailed reports without fixing any issues.
Install this skill
Security score
The qa-only skill was audited on Mar 17, 2026 and we found 22 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Piping content to bash shell
| 112 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
Curl to non-GitHub URL
| 112 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
Fetch to external URL
| 154 | - API endpoints → test them directly with `$B js "await fetch('/api/...')"` |
Access to hidden dotfiles in home directory
| 21 | _UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 23 | mkdir -p ~/.gstack/sessions |
Access to hidden dotfiles in home directory
| 24 | touch ~/.gstack/sessions/"$PPID" |
Access to hidden dotfiles in home directory
| 25 | _SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d ' ') |
Access to hidden dotfiles in home directory
| 26 | find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true |
Access to hidden dotfiles in home directory
| 27 | _CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true) |
Access to hidden dotfiles in home directory
| 30 | If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with |
Access to hidden dotfiles in home directory
| 51 | **To file:** write `~/.gstack/contributor-logs/{slug}.md` with this structure: |
Access to hidden dotfiles in home directory
| 71 | Then run: `mkdir -p ~/.gstack/contributor-logs && open ~/.gstack/contributor-logs/{slug}.md` |
Access to hidden dotfiles in home directory
| 101 | [ -z "$B" ] && B=~/.claude/skills/gstack/browse/dist/browse |
Access to hidden dotfiles in home directory
| 127 | 1. **Project-scoped test plans:** Check `~/.gstack/projects/` for recent `*-test-plan-*.md` files for this repo |
Access to hidden dotfiles in home directory
| 130 | ls -t ~/.gstack/projects/$SLUG/*-test-plan-*.md 2>/dev/null | head -1 |
Access to hidden dotfiles in home directory
| 422 | mkdir -p ~/.gstack/projects/$SLUG |
Access to hidden dotfiles in home directory
| 424 | Write to `~/.gstack/projects/{slug}/{user}-{branch}-test-outcome-{datetime}.md` |
External URL reference
| 85 | | Target URL | (auto-detect or required) | `https://myapp.com`, `http://localhost:3000` | |
External URL reference
| 112 | 3. If `bun` is not installed: `curl -fsSL https://bun.sh/install | bash` |
External URL reference
| 159 | $B goto http://localhost:3000 2>/dev/null && echo "Found app on :3000" || \ |
External URL reference
| 160 | $B goto http://localhost:4000 2>/dev/null && echo "Found app on :4000" || \ |
External URL reference
| 161 | $B goto http://localhost:8080 2>/dev/null && echo "Found app on :8080" |